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A String Representation of LDAP Search Filters 
Status of this Memo 


This memo provides information for the Internet community. This memo 
does not specify an Internet standard of any kind. Distribution of 
this memo is unlimited. 


Abstract 


The Lightweight Directory Access Protocol (LDAP) [1] defines a 
network representation of a search filter transmitted to an LDAP 
server. Some applications may find it useful to have a common way of 
representing these search filters in a human-readable form. This 
document defines a human-readable string format for representing LDAP 
search filters. 


1. LDAP Search Filter Definition 


An LDAP search filter is defined in [1] as follows: 


Filter ::= CHOICE { 
and [0] SET OF Filter, 
or [1] SET OF Filter, 
not [2] Filter, 
equalityMatch [3] AttributeValueAssertion, 
substrings [4] SubstringFilter, 
greaterOrEqual [5] AttributeValueAssertion, 
lessOrEqual [6] AttributeValueAssertion, 
present [7] AttributeType, 
approxMatch [8] AttributeValueAssertion 
} 
SubstringFilter ::= SEQUENCE { 
type AttributeType, 
SEQUENCE OF CHOICE { 
initial [0] LDAPString, 
any [1] LDAPString, 
final [2] LDAPString 


Howes [Page 1] 


RFC 1558 Representation of LDAP Filters December 1993 


AttributeValueAssertion ::= SEQUENCE 
attributeType AttributeType, 
attributeValue AttributeValue 


AttributeType ::= LDAPString 
AttributeValue ::= OCTET STRING 
LDAPString ::= OCTET STRING 


where the LDAPString above is limited to the IA5 character set. The 
AttributeType is a string representation of the attribute object 
identifier in dotted OID format (e.g., "2.5.4.10"), or the shorter 
string name of the attribute (e.g., "organizationName", or "o"). The 
AttributeValue OCTET STRING has the form defined in [2]. The Filter 
is encoded for transmission over a network using the Basic Encoding 
Rules defined in [3], with simplifications described in [1]. 


2. String Search Filter Definition 


The string representation of an LDAP search filter is defined by the 
following BNF. It uses a prefix format. 


<filter> ::= ’(’ <filtercomp> ’)’ 

<filtercomp> ::= <and> | <or> | <not> | <item> 
<and> ::= ’&’ <filterlist> 

<or> ::= "|" <filterlist> 

<not> ::= ’!"’ <filter> 

<filterlist> ::= <filter> | <filter> <filterlist> 
<item> ::= <simple> | <present> | <substring> 
<simple> ::= <attr> <filtertype> <value> 
<filtertype> ::= <equal> | <approx> | <greater> | <less> 
<equal> ::= ’=! 

<approx> ::= /’7=! 

<greater> ::= '>=!' 

<less> ::= <=" 

<present> = <attr> '=*!' 

<substring> ::= <attr> '’="’ <initial> <any> <final> 
<initial> ::= NULL | <value> 

<any> ::= ’*'’ <starval> 

<starval> ::= NULL | <value> ’*’ <starval> 

<final> ::= NULL | <value> 


<attr> is a string representing an AttributeType, and has the format 
defined in [1]. <value> is a string representing an AttributeValue, 
or part of one, and has the form defined in [2]. If a <value> must 
contain one of the characters ’*’ or ’(’ or ’)’, these characters 
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should be escaped by preceding them with the backslash ’\’ character. 
3. Examples 


This section gives a few examples of search filters written using 
this notation. 


(cn=Babs Jensen) 
(! (cn=Tim Howes) ) 
(& (objectClass=Person) (| (sn=Jensen) (cn=Babs J*))) 
(o=univ*of*mich*) 


4. Security Considerations 
Security issues are not discussed in this memo. 
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